Forum Discussion

TerryED's avatar
TerryED
Copper Contributor
Feb 02, 2021

From Get-AzKeyVaultCertificate to Connect-ExchangeOnline -Certificate

I'm seeking examples/samples in PowerShell to utilize Certificate-Based Authentication with automated ExO Admin tasks.  

Current solution relies on a local certificate (CurrentUser\My or LocalMachine\My) and Connect-ExchangeOnline -CertificateThumbprint.  Or from a local PFX file with -CertificateFilePath.  

  I'm thinking that Azure Key Vault would be better container since the tenant has control over all credentials.  

 

  I have not seen sample code to go from a AzKeyVaultCertificate object to Connect-ExchangeOnline -Certificate.  Perhaps because it is so new.  Perhaps because there is a better alternative.  

 

  Any advice or suggestions greatly appreciated.  Thank you.  

 

  

Admin
Exchange Online
    • TerryED's avatar
      TerryED
      Copper Contributor
      Feb 08, 2021

      Thank you VasilMichev.  I was missing the Get-AzKeyVaultSecret ... -AsPlainText parameter.  This works for me now:

       

      $AzKeyVaultTenant = '<M365 Tenant ID GUID>'
      $AzKeyVaultApplicationId = '<Azure Key Vault Application ID GUID>'
      $AzKeyVaultCertificateThumbprint = '<LocalMachine Certificate Thumbprint>'
      $AzKeyVaultName = '<Azure Key Vault Name>'
      $ExoOrganization = '<M365 Tenant fully qualified domain name>'
      $ExoCertificateSecretName = '<Azure Key Vault Exchange Online Certificate Name>'
      $ExoAppId = '<Exchange Online App ID GUID>'

       

      Connect-AzAccount -Tenant $AzKeyVaultTenant -ApplicationId $AzKeyVaultApplicationId -CertificateThumbprint $AzKeyVaultCertificateThumbprint -ServicePrincipal | Out-Null
          $exoKeyVaultCertificateSecret = Get-AzKeyVaultSecret -VaultName $AzKeyVaultName -Name $ExoCertificateSecretName -AsPlainText
      Disconnect-AzAccount -Confirm:$FALSE | Out-Null

       

      $exoCertificate = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList ([Convert]::FromBase64String( $exoKeyVaultCertificateSecret )), '', 'Exportable,MachineKeySet,PersistKeySet'

       

      Connect-ExchangeOnline -Organization $ExoOrganization -AppID $ExoAppId -Certificate $exoCertificate -ShowBanner:$False
          (Get-AcceptedDomain | Where-Object { $PSItem.Default }).DomainName
      Disconnect-ExchangeOnline -Confirm:$FALSE

Share

Resources